The use of mobile phones in Covid-19 contact tracing by some Asian countries has motivated some Western democracies to scope a similar approach to end the lockdowns. To-date, contact tracing through use of personal data has not been a possibility in the US and Europe. The reasons are primarily rooted in practical and legislative obstacles rather than missteps in policy response by governments. Tech giants Apple and Google offer new promising features for Covid-19 contact tracing with superior user privacy. However, the necessary user opt-ins and the timeframe for initial release means it is unlikely to feature in any official near-term solution to end the lockdowns. The UK offers the most favourable legal and political environment to implement extensive contact tracing similar to South Korea. Whilst temporary, such extraordinary measures leaves much execution risk, and may set the course for further divergence in data privacy standards between the UK and EU. Government transparency and oversight are paramount should extraordinary measures be taken in order to maintain public trust and to safeguard civil liberties.
In recent weeks, the divergent strategies adopted by governments around the world to contain the Covid-19 pandemic has sparked much scrutiny and public debate. The rapid deployment of mobile phone technology by the Chinese, South Korean, and Singaporean authorities in their testing and contact tracing strategy has receive much attention and praise by many including the World Health Organization (WHO). The relative success in containing the Coronavirus by the aforementioned Asian countries has left many pondering why other governments failed to implement similar measures to mitigate Covid-19 related deaths.
In considering the legal, political, and technological settings within each nation state, and their interplay, we can better understand the policy options available to each nations government.
We shall restrict our discussion solely to contact tracing. There is ample empirical evidence and analysis by experts (including the WHO) that extensive testing for Covid-19 has yielded undeniable positive results.
In the aftermath of the Edward Snowden revelations in 2014, the privacy rights of citizens, the nation state, and their intelligence services was the subject of much public scrutiny. At the heart of the allegations was that the US and UK governments, through their respective intelligence agencies, were spying on their own citizens. Subsequent independent judicial reviews found no broad based evidence of intelligence agencies snooping on citizens. Nevertheless, following an extended period of rigorous public debate, new legislation was introduced to clarify the remits of the intelligence agencies.
By and large, the bulk collection of communication metadata is deemed to be lawful by governmental agencies. However, access to the content of communications requires a permit from a high court judge. Put in simpler terms, GCHQ/NSA can see as much from your communication as the postman can read your mail unless granted special permissions. Under UK law, surveillance has to be justified as necessary and proportionate.
According to Sir David Omand, former head of GCHQ, UK law allows for warrants to be issued to allow intrusive investigative methods to be used by government agencies, including public health, subject to judicial scrutiny and oversight. Each case has to be justified as necessary and proportionate. He makes reference to our privacy rights in the UN Universal Declaration on Human Rights Article 12, but points out that in the European Convention on Human Rights (ECHR) ’the protection of health’ along with national security is listed as one of the reasons that governments may use when necessary to justify intrusions into the privacy rights of the citizen in the interests of the protection of the rights and freedoms of others, said Sir Omand.
Principled Spying – Sir David Omand
In short, during the Covid-19 pandemic there are sufficient legal grounds for the UK authorities to conduct contact tracing similar to South Korea.
Much of the recent criticism levelled at some western governments for their poor handling of the Covid-19 crisis has given rise to pro-authoritarian sentiment. In his recent article the myth of authoritarian coronavirus supremacy, Zack Beauchamp highlights the countries which fared best thus far in their virus containment strategy were not authoritarian regimes but those with “state capacity“. State capacity refers to a governments ability to collect taxes, enforce law and order, provide goods and infrastructure to the public, and centralise power at the national level. Later, it will become evident why state capacity is a prerequisite to a reliable technology lead contact tracing program.
There is ample empirical evidence linking authoritarian rule of law and abuse of human rights. In the digital era where data is power, high concentrations of data may sow the seeds for tools of suppression when fallen into the wrong hands. It is therefore important to assess the costs and benefits of permitting bulk collection of our digital footprints whether by public or private sector. Even in periods of crisis like today.
Now the tech
The rapid growth of consumer technology such as the smartphone and the associate applications has created trust built on convenience and functionality. It is important to distinguish this brand trust from the trust we place in government. In the former a private citizen preserves the option to opt out, in the latter, that is not the case. If regulators (governments) do their job right, the public will always maintain their rights to opt out of products and services and have sufficient alternatives. Moreover, private and public enterprise should be kept as separate as possible whilst permitting customer – vendor type partnerships. It is no secret the Chinese technology companies (Huawei, Tencent, and Baidu) are more intertwined with the government than their counterparts in the US (Apple, Google or Facebook).
Data is not technology like technology is not data
Rome was not built in a day, and neither is software technology. Despite the rapid advances in technology reported, and the ability of computers to process vast quantities of data for Machine Learning, the real-world applications are a long way from becoming reliable software. Most data scientists will tell you 90% of their work is preparation of data for processing – aggregation, cleansing, and automating of data feeds. In tech talk, one needs to convert the unstructured data into structured data.
Much like physical infrastructure such as roads and utility services, digital pipes need to be built so that data can flow to a command centre to be processed by powerful computers. This is the digital equivalent of providing state capacity, as discussed earlier. The result of the data-processing are output signals which most often require human review as part of an iterative process. Hypothetical examples of outputs would be:
- Did not come into any known Covid-19 positive patients the last 14 day
- Did come into contact with Covid-19 positive patient the last 14 days
- Did come into contact with Covid-19 positive patient, but more than 14 days ago
- Did come into contact with Covid-19 positive patient the last 14 days and is over 60 with no prior conditions
- Did come into contact with Covid-19 positive patient the last 14 days and is under 60 with an existing condition
- And so on..
In the final step, the output signals require secure communication with other services. For example, mobile network operators to send SMS notifications or updating medical records. Mobile network operators must not become mass repositories of customers private medical records. This rather simple example demonstrates both the practical challenges and potential pitfalls.
Reliable mobile contact tracing today is made possible by the investments in digital tools and infrastructure in prior years – not plug-and-play tools. South Korea was able to implement a rapid mobile phone contact tracing strategy following many decades of living under the threat of a hostile (nuclear) northern neighbour.
Big Tech Contract Tracing
In 2018 the EU passed important legislation (GDPR) to protect citizens ownership of personal data and bolster their rights to digital privacy. Moreover, government portals (e.g. Gov.uk) are prohibited from collecting personal data the same way as Google or Facebook would. Privacy laws, coupled with the recent troubled past between technology firms and governments, creates difficult terrains to form effective partnerships. However, rival tech giants Apple and Google recently announce a collaborative initiative to enable contact tracing through mobile phones to be released in coming months.
Together, Apple and Google operate 98% of the worlds mobile phones. This new technology will make use of near-field bluetooth and encryption, rather than location based tracking. This offers a new novel approach with enhanced user privacy though the exact details are yet to be finalised.
Apple and Google will not have access to users medical records and instead focus on providing the technology to a number of pre-approved apps (to be announced). At a later date, users will have the option to opt-in through an integrated feature and more robust privacy settings. (You can read more on the details here.)
The months long release date indicted by Apple and Google should serve as a good benchmark for the time-frames we can expect things to move forward. The case of patient 31 in South Korea illustrates well the problem of non-compliance or coercion by a single individual which undid much of the hard work undertaken by the authorities to contain the spread of the virus. Coupled with location based data, this may potentially prove a powerful tool in the future containment and management of the pandemic until a vaccine solution is found. Much like the aggressive targeting measures undertaken during by immunisation programs to prevent outbreaks, or tackling forest fires, as Prof Vardavas of the Rand Corporation described.
In an era of high capacity storage devices, and micro targeted political ads which require no more than a list of email addresses, it is crucial for independent handling of citizens data with adequate oversight to avoid the mistakes of the past.
With the initial outbreak already behind, let us not seek short term quick fix solutions with dubious benefit that may jeopardise the rights many before us have given lives to protect.
I am grateful to Dr Sonia Falconieri, Prof Sir David Omand, and Prof Raffaello Vardavas for helpful discussions in forming the opinions expressed in this article.
Playing to the Edge: American Intelligence in the Age of Terror by General Mike Hayden, former Head of CIA and NSA during the Edward Snowden era, gives a detailed account of the debate amongst the top legal scholar at the time in his book. Hayden describes the immediate aftermath of 9/11 as a period the intelligence service had to resort to extreme measures to achieve their primary object – prevent further loss of lives. A Pittsburgh Steelers fan, Hayden takes the metaphor of an American Football coach using every inch of the playing field to gain an edge over the opposition. Today, we face an invisible enemy in the form of the Coronavirus which may once again force governments to ‘play to the edge’. [Our previous interview with Gen Hayden on Cybersecurity]
Principled Spying: The Ethics of Secret Intelligence by Professor Sir David Omand former head of GCHQ (UK equivalent to the NSA) and Professor Mark Phythian. Leading scholars in the field at Kings College London, Sir David and his co-author offer a deep-dive debate on the ethical considerations that come to play in conducting state espionage. After his time in GCHQ Sir Omand went on to serve as the Permanent Secretary and Security and Intelligence Co-ordinator in the UK Cabinet Office (nearest equivalent to the US Director of National Intelligence).
The myth of authoritarian coronavirus supremacy, Zack Beauchamp, Vox.com on 26/03/2020.
UK government using confidential patient data in coronavirus response, The Guardian, 12/04/2020.
Apple and Google partner on COVID-19 contact tracing technology, Apple Press Release. 10/04/2020